8 MINUTE READ
As new security threats emerge every day, businesses need to be strategic and proactive in their approach to cyber security training. All staff should be equipped with the information they need to make wise decisions in areas which are fundamental to upholding security.
Unfortunately, ensuring end-to-end cyber safety and computer protection poses a major challenge for most organisations. There are a number of reasons for this such as a shortage of skills, lack of awareness and training, and insufficient incident response planning.
In response to the skills shortage, there are now a number of movements which aim to encourage more students to enter the cyber security workforce. Educators have updated their curriculums to make sure they are preparing students with skills that align with the real-world demands of the market. While such strategies will obviously be helpful in the long-term, they do not address today’s immediate and pressing security concerns.
Until there are enough information security professionals to fill the positions which are opening at an unprecedented rate across all industries, businesses themselves will need to lead the charge in promoting behaviours which help bolster cyber security.
A complacent reliance on existing security protocols is not enough. According to the IBM 2016 Cyber Security Intelligence Index, 60% of attacks originated from inside organisations. Inadvertent actors caused a quarter of these insider attacks, i.e. attacks executed without user knowledge. This statistic highlights the crucial importance of designing and implementing effective cyber security training programmes.
To help establish what exactly it is that staff should be taking away from a cyber security training course, Venturi’s Voice spoke to industry expert, James Packer.
James is a Cyber Security Professional at a Big 4 consultancy firm. He has worked with many companies in diverse business environments to build well-designed security systems capable of defending against the latest threats. James also is the President of the ISC2 London Chapter; a regional chapter of the global Information Security Consortium whose mission is to bring together a community of Information Security Professionals to share knowledge and drive innovation and inclusion within the wider community.
As a minimum requirement, all staff should have an understanding of the following things by the end of a cyber security training course.
1.What cyber security actually is
Although most people will be familiar with the term cyber security, a lack of clarity can cause confusion. In addressing this issue, James offered a helpful analogy which frames the topic of cyber security in an accessible way.
“Cyber security is the practice of protecting computer based assets; ranging from documents and photos to databases and credit card details. Similarly to how you would protect an item of value in the real world; a car for example, with protections ranging from a gate to a garage, from keys to an alarm; cyber security is adding computer based protection layers to items of value,” he said.
Of course, the depth of information staff members ought to possess will vary in accordance with their responsibilities. The training given to administrative assistants will not need to be as technical as the education given to the team’s software developers. However, it is important that all staff understand the fundamental concepts at play here.
2.The tools used to defend against attacks
A company-wide understanding of the importance of things such as antivirus software, firewalls and encryption will help to ensure that these tools are utilised in an appropriate and consistent manner. James highlighted the fact that all staff need to be aware of their personal responsibility in making sure security tools function properly.
“The staff need to keep in mind that, although they may not have the responsibility over the operation of security tools such as anti-virus software and encryption, every system user has a part to play in ensuring that these tools function correctly and are not circumvented. It is important to keep in mind that each component is just one part of a much bigger security system,” he said.
Fortunately, most modern security tools can accommodate non-technical end users.
“These days, security tools are usually very intuitive; providing easily understood prompts when something is not quite right. All staff should be encouraged to not ignore these warning signs” said James. A good cyber security training course should be carefully tailored around the specific systems and software programmes that are used by the business.
3.Where the security vulnerabilities lie
Building a perfectly secure system is simply not possible. It is important for employees to be aware of areas of greater vulnerability as this is where hackers focus their attention. Human error is the root cause of many security breaches.
“The most effective opportunities for minimizing the risk of human error stem from avoiding unnecessary human input. Reducing the potential attack surface created by user inputs greatly reduces the likelihood of successful attacks. Companies should seize any opportunities to automate work and data flows. This will reduce the demands placed on their security system by removing unnecessary attack vectors,” said James.
4.The real-world implications of security breaches
Employees will be more inclined to adhere to cyber security policies and processes if they appreciate what is at stake. There are countless recent examples of major cyber attacks which can be used to illustrate the far-reaching and often devastating consequences of lapses in security.
In May, a strain of ransomware called WannaCry made international headlines when it hit hundreds of thousands of targets, including public utilities and large corporations. Notably, the ransomware temporarily crippled NHS hospitals and facilities in the UK, hobbling emergency rooms, delaying vital medical procedures, and creating chaos for many British patients.
5.Industry standards and regulations
Each business is different and there are varying concerns based on the sector. By educating employees on the safety standards and regulatory policies and procedures of the industry, company executives can better ensure their organisations are maintaining high-standards of compliance. However, there is one significant piece of legislation which will soon apply across all sectors: the European General Data Protection Regulation (GDPR) which comes into force May 2018.
The legislation will change how businesses and public sector organisations can handle the information of customers. James summarised its key points:
“GDPR significantly expands the definition of personal data, bringing in parts of IT not covered by regulations. This will bring increases in the application of liability and the financial sanctions. GPDR also gives further power to the individual, most notably, the right to be informed and the right to be forgotten. Individuals (known as “Data Subjects” under the legislation) will have the power to request, free of charge, transparent and intelligible information about the processing of their data. Data processors have a legal obligation to provide this. Individuals also have the power to withdraw consent for processing of their data at any given time and data processors have a legal obligation (save for exceptions in specific scenarios) to comply with this withdrawal,” he said.
The best way to prepare for the changes GDPR will bring is to start a company-wide conversation to gain knowledge and insight into how the regulation will affect your business and your employees.
6. The role they play in ensuring cyber security
Perhaps the most critical takeaway message staff should gain from a cyber security training course is an understanding of the role they play. While they may not be responsible for carrying out the incident response plan, each staff member has a responsibility to uphold the security of the business.
The simple act of opening a work email and clicking on a link can compromise the entire infrastructure of a firm, as well as the privacy of all its customers information. With so much on the line, it is imperative that companies take measures to ensure the best possible approach to information security throughout every level of the organisation.
“The most effective habit that staff can adopt to help protect systems is to embed a security awareness in day to day operations; try to think like an attacker trying to steal information or cause damage, question processes or tasks from a security perspective and be curious to learn about security!” said James.
Over the coming years, well thought-out employee education will play an increasingly critical role in guarding against cyber attacks.